In order to deploy your application on Android devices (and on the Android Market), you need to sign it. Luckily, you can generate your own certificate and use it to sign your application. Find out how the process works.

by Wei-Meng Lee

Nov 20, 2008

Page 2 of 3

All Android Applications Must Be Digitally Signed
All Android applications must be signed before they are allowed to be deployed onto a device (or emulator). Unlike other mobile platforms, you need not purchase digital certificates from a certificate authority (CA). Instead, you can generate your own personal certificate and use it to sign your Android applications.

Figure 2. Signing Your App: All Android applications developed in Eclipse are signed using a default debug keystore.

When you use Eclipse to develop your Android application and then press F11 to deploy it to an emulator, Eclipse automatically signs it for you. To verify this, first go to WindowsPreferences in Eclipse, then expand the Android item, and select Build (see Figure 3). Eclipse uses a default debug keystore (debug.keystore) to sign your application.

Signing an Application Manually
If you are publishing an Android application, you must sign it with your own certificate. Applications signed with the debug certificates cannot be published. To sign your application manually, you need to perform the following steps:

Compile your application in release signing mode. To do so in Eclipse, right-click on the package name and select Android ToolsExport Unsigned Application Package… (see Figure 3).

You will then be asked to select a directory for exporting the application (Android package has the .apk extension). For convenience, I have exported the Android package to C:\Program Files\Java\jdk1.6.0_10\bin\ (see Figure 4). You will understand why this is so shortly. (Note that I am using JDK 1.6.10; you might have some other versions on your computer and hence the folder name may vary a little.)

If you wish to sign your application using the debug keystore, copy the Debug.keystore file from C:\Documents and Settings\\Local Settings\Application Data\Android\ to C:\Program Files\Java\jdk1.6.0_10\bin\.

Use the jarsigner.exe tool (comes with your JDK) located in C:\Program Files\Java\jdk1.6.0_10\bin\ to sign the .apk file with the specified keystore:

When prompted for the password for the keystore, use the default password: android.

The jarsigner.exe tool takes in the following options:

-keystore: This is the name of the keystore containing your private key.

-verbose: This enables verbose output.

The alias for the debug.keystore file is androiddebugkey. Figure 5 shows the application signed with the debug.keystore default keystore.

Figure 5. Signed with the Keystore: Signing the .apk file with debug.keystore.

Figure 6. Verified and Certified: Verifying that the application was signed correctly.

To verify that the application is signed correctly, you can use the –verify option with jarsigner.exe. You can also use the –certs option to view the details of the certificate used to sign the application (see Figure 6).